From b6bdbe5d0104059d2bf8308afd0d00875a516322 Mon Sep 17 00:00:00 2001
From: Wojciech Kozlowski <wk@wojciechkozlowski.eu>
Date: Sat, 22 Jul 2023 12:28:49 +0200
Subject: [PATCH] Add support for IPv6 wireguard client

---
 vpn/wireguard/meta/argument_specs.yml |  8 +++++++-
 vpn/wireguard/templates/IFACE         | 29 ++++++++++++++++++++++++++-
 vpn/wireguard/templates/IFACE.conf    |  2 +-
 3 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/vpn/wireguard/meta/argument_specs.yml b/vpn/wireguard/meta/argument_specs.yml
index b821dd1..d9acc64 100644
--- a/vpn/wireguard/meta/argument_specs.yml
+++ b/vpn/wireguard/meta/argument_specs.yml
@@ -18,9 +18,15 @@ argument_specs:
       vpn_wireguard_address:
         type: "str"
         required: true
-      vpn_wireguard_netmask:
+      vpn_wireguard_prefixlen:
         type: "str"
         required: true
+      vpn_wireguard_address_v6:
+        type: "str"
+        required: false
+      vpn_wireguard_prefixlen_v6:
+        type: "str"
+        required: "{{ vpn_wireguard_address_v6 is defined }}"
       vpn_wireguard_port:
         type: "int"
         required: true
diff --git a/vpn/wireguard/templates/IFACE b/vpn/wireguard/templates/IFACE
index 8a9a75f..961e2eb 100644
--- a/vpn/wireguard/templates/IFACE
+++ b/vpn/wireguard/templates/IFACE
@@ -7,6 +7,10 @@ iface {{ vpn_wireguard_iface }} inet static
     post-up /usr/local/sbin/post-up-$IFACE-inet.nft
     post-up /usr/local/sbin/post-up-$IFACE-ipv4.nft
 {% if vpn_wireguard_role == "server" %}
+{% if vpn_wireguard_routing_table is defined %}
+    post-up ip rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
+    post-up ip -6 rule add sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
+{% endif %}
 {% for client in vpn_wireguard_clients %}
 {% if 'subnet' in client %}
     post-up ip route add {{ client.subnet }} dev $IFACE
@@ -22,6 +26,10 @@ iface {{ vpn_wireguard_iface }} inet static
     pre-down ip route del {{ client.subnet }} dev $IFACE
 {% endif %}
 {% endfor %}
+{% if vpn_wireguard_routing_table is defined %}
+    pre-down ip -6 rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
+    pre-down ip rule del sport {{ vpn_wireguard_port }} ipproto udp table {{ vpn_wireguard_routing_table }}
+{% endif %}
 {% elif vpn_wireguard_role == "client" %}
     pre-down ip route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
 {% endif %}
@@ -29,4 +37,23 @@ iface {{ vpn_wireguard_iface }} inet static
     pre-down /usr/local/sbin/pre-down-$IFACE-inet.nft
 
     address {{ vpn_wireguard_address }}
-    netmask {{ vpn_wireguard_netmask }}
+    netmask {{ vpn_wireguard_prefixlen }}
+{% if vpn_wireguard_address_v6 is defined %}
+
+iface {{ vpn_wireguard_iface }} inet6 static
+{% if vpn_wireguard_role == "client" %}
+    post-up ip -6 route add default dev $IFACE table {{ vpn_wireguard_routing_table }}
+{% endif %}
+
+{% if vpn_wireguard_role == "client" %}
+    pre-down ip -6 route del default dev $IFACE table {{ vpn_wireguard_routing_table }}
+{% endif %}
+
+    address {{ vpn_wireguard_address_v6 }}
+    netmask {{ vpn_wireguard_prefixlen_v6 }}
+{% endif %}
+{% if vpn_wireguard_address_v6 is defined %}
+{% if vpn_wireguard_role == "server" %}
+    {{ __assert__wireguard_server_role_not_supported_for_ipv6 }}
+{% endif %}
+{% endif %}
diff --git a/vpn/wireguard/templates/IFACE.conf b/vpn/wireguard/templates/IFACE.conf
index 9448591..12ea9cc 100644
--- a/vpn/wireguard/templates/IFACE.conf
+++ b/vpn/wireguard/templates/IFACE.conf
@@ -21,7 +21,7 @@ AllowedIPs = {{ vpn_wireguard_subnet }}
 PublicKey = {{ vpn_wireguard_server_public_key }}
 PresharedKey = {{ vpn_wireguard_server_preshared_key }}
 Endpoint = {{ vpn_wireguard_server_address }}:{{ vpn_wireguard_port }}
-AllowedIPs = 0.0.0.0/0
+AllowedIPs = 0.0.0.0/0, ::/0
 PersistentKeepalive = 15
 
 {% endif %}